HIPAA Compliance Blog

HIPAA COMPLIANCE EXPERTS

Last month, Jay Hodes - President of Colington Consulting, provided comments to the Renal & Urology News regarding the effectiveness of HIPAA Security Awareness Training. The HIPAA Security Rule requires that all staff of Covered Entities receive annual HIPAA training. This training is also required for members of a Business Associate workforce that must access any protected health information in conducting services.

With 80% of HIPAA data breaches caused by human error, training your workforce can help to cut down in costly HIPAA fines and penalties and promote a culture of compliance within in your organization. “At the end of training, the person should walk away feeling like they understand HIPAA better,” Hodes said. “There is nothing worse for an organization than to have someone say after a breach, ‘No one ever told me I couldn't take that laptop home'." If your organization is investigated for a HIPAA violation or a data breach, documentation you trained your workforce will be asked for by the HHS Office for Civil Rights.

There are a number of ways training requirements can be accomplished. Whether using a video presentation, an instructor led class , or a web based program, the goal is being able to meet this annual requirement.

Related Posts

HIPAA Training: What is Required?

Let me try to bring some clarity to what is required for HIPAA Security Awareness Training, especially for small healthcare providers and business associates. The U.S. Department of Health and Human Services (HHS) provides guidance for the Privacy Rule and the Security Rule training requirements. The description of each is very similar; however there are four specific implementation specifications that must be met for the Security Rule.

A simple way to determine what rule applies to your specific situation is this: the Privacy Rule covers those practices utilizing paper charts; the Security Rule covers practices utilizing electronic health records (EHR). The Security Rule also applies to business associates. Even if your practice utilizes EHR, most of the Privacy Rule is still applicable concerning patients’ privacy issues.

The following is a breakdown of the requirements for each:

HIPAA Privacy Rule § 164.530(b)

A covered entity must provide training that meets the requirements of this Code of Federal Regulation (CFR), as follows:

The training for a covered entity must cover all policies and procedures with respect to protected health information;

Each member of the covered entity's workforce must receive the training;

The training must occur within a reasonable period of time after the new staff member joins the covered entity's workforce;

A covered entity must document that the training was provided;

Training must occur on an annual basis, at minimum.

Security Rule, Section §164.308(a)(3)

A covered entity and business associate must provide training that meets the requirements of this Code of Federal Regulation (CFR), as follows:

The training for a covered entity and business associate must cover all policies and procedures with respect to safeguards for electronic protected health information;

Each member of the covered entity's and business associate’s workforce must receive the training;

The training must occur within a reasonable period of time after the new staff member joins the covered entity's or business associate’s workforce;

A covered entity and business associate must document that the training was provided;

Training must occur on an annual basis, at minimum.

According to the CFR for the Security Rule, the following four implementation specifications must be covered:

As you can see, both rules cover a number of the same requirements. However, one major difference is the HIPAA Security Rule extends to business associates and includes the four specifications.
Here are five best practices to follow regarding HIPAA Security Awareness Training:

A training program must be in place that covers workplace policies and procedures for safeguards for all protected health information.

All training needs to be documented. This includes keeping a list of those who received the training and the completion dates.

Training must be conducted on an annual basis. It is a great idea to also make available periodic refreshers.

Training should cover your Sanction Policy. This explains what disciplinary action could occur if the policies and/or procedures are violated.

Training for the HIPAA Security Rule must cover the four implementation specifications.

by Jay Hodes, President - Colington Consulting

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT?

What Exactly Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that took effect in 2003 to assure that patient’s medical records and other health information provided to health plans, hospitals, doctors and other health care providers is protected. HIPAA is enforced by the U.S. Department of Health and Human Services, to provide nation-wide privacy and security standards for patient information, while allowing patients greater access to their medical records and more control over how their personal health information is used and disclosed. HIPAA established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (medical provider).

The HIPAA Security Risk Assessment

There are over 50 HIPAA Security Standards and Implementation Specifications that must be addressed with policy and procedures. They are all applicable to Covered Entities and Business Associates. The HIPAA rule is very detailed, and it is important that you not miss any compliance requirements.

One of the best ways to ensure HIPAA compliance is to implement a HIPAA security risk assessment. This will tell you what areas of your practice are in compliance, and which areas need corrections to be made in order to become compliant. No matter what, you want to make certain you are following all the requirements of the HIPAA Security Rule, as there are steep fines resulting from non-compliance.

The Three Parts of the HIPAA Security Rule

The HIPAA Security Rule requires a healthcare facility and its staff to implement specific safeguards in these three areas:

• Administrative

• Physical

• Technical Safeguards

These safeguards ensure the confidentiality, integrity, and security of protected health information (PHI). While “required implementation specifications” must be implemented, “addressable implementation specifications” must be implemented if it is appropriate and reasonable to do so. Your choice must be documented. Do not make the mistake of automatically thinking that “addressable implementation specifications” are optional. If you are unsure if any “addressable implementation specifications” apply to you, it is best to implement them, as most are considered to be standard “best practices” for a medical business.

The results of your HIPAA security risk assessment should provide you with a list of areas where you need improvement. This is where you will begin to work on policies and procedures to address the deficiencies by documenting and outlining all “required implementation specifications”, and all applicable “addressable implementation specifications” needed to become HIPAA compliant.

Just A Few Examples of HIPAA Policy Requirements

Here are a few examples of the types of HIPAA “required” controls you will need to implement.

One of the main requirements is controlling the access to patient’s records by your staff members. This requires a unique user identification login and logout for identifying and tracking each user, as well as comprehensive HIPAA training for your staff. Often, staff will find HIPAA compliance inconvenient, but they must recognize it is for their own protection.

You must have a secure procedure for accessing PHI during an emergency. Should the power go off, do you have a back-up power source? Are your records securely backed-up in compliance with HIPAA ? Healthcare organizations should have a contingency plan in place for emergency operations and disaster recovery.

It is advisable that all patient data be encrypted and decrypted. After a risk assessment, all laptops, computers, and mobile devices may need to be encrypted. Do you have firewall protection? Is your network accessible from outside your business? Do you have intrusion protection? Is your wireless network secured? Any company that handles sensitive patient data protected by HIPAA should run a cybersecurity assessment , to thoroughly check your network to determine how secure it is, and explain measures that must be taken to secure any holes in that system.

Audit controls, via hardware or software, must record and examine activity in information systems containing or using ePHI.

Transmission of all ePHI must be secure.

There are many other required and addressable specifications that need to be implemented. This is only a handful, to give you an idea of the types of issues you will need to address.

Once Your Are HIPAA Compliant, Then What?

Once you have achieved HIPAA compliance, it is then important that procedures and policies be put into place to maintain compliance. Employers must keep a record that all employees have received proper HIPAA training. They need to understand how HIPAA is implemented in your office. If you switch IT companies, you will need to make certain that the new company is HIPAA compliant, and they will need to provide you with a Business Associate Agreement. Yes, HIPAA compliance is a never ending task for businesses that handle patient health information.

If you are concerned about understanding and meeting all of the “required” and “addressable” security standards and implementation specifications your business must have in order to be HIPAA compliant, consider bringing in Colington Consulting to review the status of your HIPAA compliance program. Colington Consulting are experts in the field who know the HIPAA rules inside and out. They will help you avoid problems and steep fines by ensuring your business is meeting HIPAA compliance requirements, relieving you from any doubt about the status of your business’s HIPAA compliance.

Colington Consulting Adds New Option for HIPAA Training

Washington, DC (PRWEB)May 18, 2016

Colington Consulting, a leading provider of HIPAA compliance services and training for small to mid-size organizations, is saving healthcare organizations that are ill prepared for data breaches, audits and cyberattacks and the lawsuits and fines that come along with them.

“Penalties for HIPAA violations, which include not training your workforce, can reach $1.5 million or more depending on the level of negligence and the number of violations of various federal codes,” says President and Founder of Colington Consulting Jay Hodes, former Assistant Inspector General of Investigations at the U.S. Department of Health and Human Services.

The HIPAA Security Rule requires that all staff of covered entities and business associates receive security awareness training annually. Training records may be requested by the Office of Civil Rights (OCR) during an audit or compliance review. “Educating your workforce is an important aspect in helping to prevent breaches from occurring and making sure the proper safeguards are in place to protect health information and records,” says Hodes.

Parkview Health System, Inc. agreed to settle with the U.S. Department of Health and Human Services OCR for potential HIPAA violations. Parkview paid $800,000 and was required to adopt a corrective action plan to address deficiencies in its HIPAA compliance program. One of those deficiencies includes training, the kind of training Colington Consulting provides.

Colington Consulting has developed innovative web-based programs that allow organizations to meet regulatory requirements, avoid costly fines and potential lawsuits and save time in the process. As a new option, Colington Consulting now offers an instructor-led webinar for healthcare professionals and business associates required to complete annual HIPAA Security Awareness Training. Or, participants can complete the program through a web-based program that takes as little as 60 minutes. The programs are not only easily accessible, they are affordable. But, says Hodes, most importantly, they are effective.

What is a HIPAA Certification?

Chances are, you’ve seen the acronym “HIPAA” many times, and wondered what it stands for. It’s the abbreviation for the Health Insurance Portability and Accountability Act, which was enacted in 1996 as a step toward healthcare reform.

One of the purposes of HIPAA was to ensure that health insurance was portable—so that people wouldn’t lose their coverage when they changed or lost their jobs. In addition, HIPAA establishes stringent privacy requirements governing the sharing of patient medical records in the United States. Which is why U.S.-based healthcare workers need to understand HIPAA Certification and why choosing the right HIPPA Certification program is so important.

Why HIPAA Training and Certification Matters

HIPAA requirements are highly complex and could result in millions of dollars in fines and even criminal indictments for companies in violation of those regulations. For example, if patient information is unintentionally compromised to unauthorized third parties – whether through carelessness, a lack of discretion, or an avoidable breach of cybersecurity – it could have devastating consequences for your practice.

Many different companies offer private certifications in HIPAA compliance. However, these certifications are not approved by the federal government or recognized by OCR. You need to know what to look for when choosing the right certification program, and determine if it is appropriate for your circumstance.

Here’s an overview of the types of certifications available:

Ø Privacy and Security Awareness Training. This integral course covers cyber security awareness training as well as role-based information security training for executives, IT administrators, and managers. While not limited to HIPAA, the course does address HIPAA compliance.

Ø Certified HIPAA Professional (CHP). This level-1 certification program covers the basics of HIPAA compliance as well as the history of the law, and does not ask for educational prerequisites. Ideal for employees at healthcare organizations who have access to personal health information, this certification has broad applications that anyone from healthcare providers to administrative staff, executives, supervisors, and IT security staff could use to their benefit.

Ø Certified HIPAA Administrator (CHA). This certification is more detailed, and most useful to those who directly deliver or oversee the delivery of healthcare services, including nurses and hospital administrators. This certification is most concerned with data privacy compliance, and focuses on the ways in which the HIPAA legislation affects patients and the dissemination of their sensitive medical information. It is most useful in helping to understand how to comply with HIPAA requirements and how they affect patients on a day-to-day basis.

Ø Certified HIPAA Security Specialist (CHSS). This is a higher-level certification that requires applicants to already hold a Certified HIPAA Professional (CHP) certification. Generally designed for IT employees in the healthcare field, CHSS qualification focuses on the technical aspects of HIPAA compliance, including security standards and practices and how they apply to the storage and management of electronic medical records. It is generally designed for IT employees working in the healthcare field.

Choosing the Right HIPAA Certification Program

There are many different HIPAA certification providers, but choosing the right one for your practice can be difficult given the fact that the government doesn’t endorse or regulate any of these companies.

And it’s not just administrators who need HIPAA certification. Anyone at your practice who handles patient data on a daily basis could benefit from this certification. To find the right certification and the right provider for your practice, contact Colington Consulting at 800-773-6379. They are experts in the field of HIPAA rules and procedures. Colington Consulting can help you avoid problems and steep fines by bringing your practice into complete HIPAA compliance. It is what they do best, allowing you to do what you do best … provide health care to your patients.

What to Do After a HIPAA Breach?

Imagine: One of your office staff members takes a laptop containing PHI (patient health information) home to do some work, when the computer is stolen. Or, maybe another staff member is in a hurry, and accidentally includes a list of confidential patient information (including names, addresses, contact info, social security numbers, etc.) in another patient’s “new patient package” that was sent out in the mail.

In either of these cases, your practice has just committed a serious HIPAA breach.

If any event like this occurs, does your staff know what to do? Do they know who to report the incident to? Is there a HIPAA Security Official present who understands the steps that need to be taken when there is a HIPAA breach? Do they know the breach notification steps? And, Is the HIPAA Security Official receiving on-going training to keep up with the constant changes with PHI security and privacy, and the implications of the HITECH Act passed by Congress to address extensive breach notification requirements?

Mandated Notification and Reporting of HIPAA Breaches, the HITECH Act

When a HIPAA breach occurs, the provider must do the following:

· Provide notification via first class mail or email to everyone whose PHI was breached, within 60 days. This notification must include a brief description of what occurred, the date of the breach, and the date of the discovery of the breach.

· This notification needs to include a clear description of the type of PHI involved, as well as the steps the individual should take to protect themselves from potential harm due to the breach.

· The provider must include a brief written statement as to what the office is doing to investigate the breach, mitigate losses, and protect against any breaches in the future. Be sure to include your contact information.

· If the breach involves PHI of 500 or more individuals, the provider must notify prominent media outlets.

· As required, the provider must report all breaches to the Secretary of Health and Human Services (HHS).

It is important to note that ALL breaches must be reported to HHS, per HITECH rules. Some of the most common breaches that are reported include:

· Unauthorized access of PHI

· Unauthorized disclosure of PHI

· Theft

· Hacking/IT incident

· Loss

These breaches occurred at, and were reported by, health care provider offices and business associates. This may suggest a lack of training, not understanding the requirements, or simply not adhering to HIPAA observance and compliance.

Costs of a HIPAA Breach

Depending on the size and scope of a HIPAA breach, costs can potentially reach more than $1 million in fines alone. According to a recent study conducted by Protenus, a company that provides patient privacy monitoring, the cost of lost business could be as much as $3.7 million. Then, there are costs for staff to perform mediation and reporting duties, not to mention possible legal costs and prison sentences for those involved in the breach.

Additionally, when you consider the long-term, far-reaching effects on an individual by illegally disclosing PHI in a HIPAA breach, it is easy to understand how this type of situation can be a public relations nightmare, and bring your business to its knees.

If you are concerned about your business’s privacy and security needs, HIPAA compliance, and proper response should you have a HIPAA breach at your office, contact Colington Consulting at 800-733-6379. They are experts in the field of HIPAA and HITECH rules and procedures. Colington Consulting will help you avoid problems and steep fines by bringing your business into complete HIPAA and HITECH compliance, and take you through the necessary reporting and mitigation procedures should you experience a breach. It is what they do best, allowing you to do what you do best…provide health care to your patients.

10 Reasons to be HIPAA Compliant

Here is a reprint of a recent online article submitted by Nick McGregor and posted by CMIT Solutions. # 7 on the list calls for an increase in enforcement of HIPAA compliance by HHS. More of an incentive to make this a priority if your small practice has not done so already.

Rather than asking, “What has changed for your business in the health care realm this year?” the better question might be, “What hasn’t changed?”

The Affordable Care Act, premium increases, existing policy cancellations, enrollment period confusion, continuing IT problems with the HealthCare.gov website… Each of these minor health care earthquakes has shaken the small business community to its core.

Add in constant worries about data security and IT functionality and it can be enough to drive a business owner mad. But there’s one feature of the health care landscape that represents an even more critical decision: new HIPAA rules, regulations, and compliance requirements.

If your business has any contact with electronic health records or medical information, either as a Covered Entity (CE) — health care provider, health plan, or health care clearinghouse — or a Business Associate (BA) — any vendor or subcontractor that helps a CE carry out its activities and functions — HIPAA compliance should be of the utmost importance for you.

Why? The following 10 reasons provide a good start:

The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for non-compliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Willfully ignoring or failing to be compliant means mandatory investigations and penalties can be initiated by any complaint, breach, or discovered violation.

New Breach Notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. Providing proper notification can trigger federal investigations and eventual fines and penalties.

The mandated deadline for new HIPAA compliance rules has already passed. All Covered Entities and Business Associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013.

All Covered Entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, MA, learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address Privacy, Security, and Breach Notification rules.

Business Associates are now required to be compliant with HIPAA Privacy and Security Rules. Business Associates will be held to that standard by Covered Entities, who are now responsible for ensuring their BAs are compliant.

While Meaningful Use incentives for Electronic Health Records (EHR) are optional, HIPAA compliance is not. If you manage Protected Health Information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a Covered Entity accepts Meaningful Use funding, a Security Risk Analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.

The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities calling for professionals with experience in privacy and security compliance and enforcement.

State Attorney Generals are getting involved in HIPAA enforcement. HHS has even posted HIPAA Enforcement Training for State Attorneys General agendas on its www.HHSHIPAASAGTraining.com website.

HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and re-trained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.

Protecting your practice means avoiding the HIPAA “Wall of Shame.” The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. The details of these breaches are widely available to the general public — and widely reported in the media.